What is certificate expiration?

Like other identity mechanisms such as a passport or a driver's licence, a certificate has a fixed lifetime. The certificate includes two date fields, which indicate the certificate's start date and expiration date. These fields are given the names not before and not after respectively. Once a certificate's not after date has passed, the certificate has expired and is no longer valid.

What problems can result from certificate expiration?

Certificate expiration is a normal occurrence, and if a certificate is renewed before expiration there will be no problems. However, if someone forgets to renew a certificate it can have serious consequences, such as:

  • A website has a big scary message pop up, and that will decrease conversion rates at the online shop by 50+%, costing thousands or tens of thousands of lost sales before it is fixed.
  • The person who forgot to renew the certificate doesn't get their bonus or worse.
  • Financial penalties because of failure to meet the SLA on a critical service.
  • Many man hours lost before an expired certificate is identified as the cause of a mission critical service suddenly stopping.
  • Reputational damage

These are just a few of the issues that can result from an expired certificate. Suffice it to say, allowing a certificate to expire is something you want to avoid at all costs.

What can I do to reduce the risk of an unexpected certificate expiry?

There are a number of measures you can take to reduce the risk of being caught out by a certificate expiration. These include:

  • Create an inventory of your deployed certificates. Many organisations try to do this using a manual process and a spreadsheet. However, this is typically error prone and resource intensive. A better alternative is to use a tool such as CertAlert to help obtain an accurate inventory of the certificates you have deployed. Another useful tool is Red Kestrel CertCentre that provides a centralised view of all your certificates and allows you to annotate certificates with additional information such as the administrator contact details and system idiosyncrasies to be aware of.
  • Actively monitor your certificates. Use a tool like Red Kestrel CertAlert to monitor your certificates and to send out alerts to the appropriate parties when a certificate is approaching expiry.
  • Set up a certificate operations role. This role is responsible for checking that certificates have been renewed and chasing up system administrators and departments that have not renewed a certificate that is approaching expiry. Set up a role based email e.g., "[email protected]" and ensure this maps to the person who is currently responsible for making sure that certificates are renewed. This person should use a tool like CertCentre to keep track of what certificates are deployed and which ones are approaching expiry.